summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* slirp: enable seccomp filterGiuseppe Scrivano2020-03-26
| | | | | | | add a check for --enable-seccomp support in slirp4netns. If it is supported, always enable it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ensure that exec sends resize eventsMatthew Heon2020-03-25
| | | | | | | | | | | | | | | We previously tried to send resize events only after the exec session successfully started, which makes sense (we might drop an event or two that came in before the exec session started otherwise). However, the start function blocks, so waiting actually means we send no resize events at all, which is obviously worse than losing a few.. Sending resizes before attach starts seems to work fine in my testing, so let's do that until we get bug reports that it doesn't work. Fixes #5584 Signed-off-by: Matthew Heon <mheon@redhat.com>
* podmanv2 volumesBrent Baude2020-03-24
| | | | | | add volume commands: create, inspect, ls, prune, and rm Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #5434 from mheon/force_delete_cni_netregOpenShift Merge Robot2020-03-23
|\ | | | | Attempt manual removal of CNI IP allocations on refresh
| * Attempt manual removal of CNI IP allocations on refreshMatthew Heon2020-03-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We previously attempted to work within CNI to do this, without success. So let's do it manually, instead. We know where the files should live, so we can remove them ourselves instead. This solves issues around sudden reboots where containers do not have time to fully tear themselves down, and leave IP address allocations which, for various reasons, are not stored in tmpfs and persist through reboot. Fixes #5433 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Make libpod/lock/shm completely Linux-onlyMiloslav Trmač2020-03-21
| | | | | | | | | | | | | | If the tests are not Linux-only, (go test ./...) still tries to build and test the package. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Add a stub for libpod.Container.TopMiloslav Trmač2020-03-21
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Fix the libpod.LabelVolumePath stubMiloslav Trmač2020-03-21
|/ | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #5088 from mheon/begin_exec_reworkOpenShift Merge Robot2020-03-19
|\ | | | | Begin exec rework
| * Add inspect for exec sessionsMatthew Heon2020-03-18
| | | | | | | | | | | | | | This produces detailed information about the configuration of an exec session in a format suitable for the new HTTP API. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add structure for new exec session tracking to DBMatthew Heon2020-03-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As part of the rework of exec sessions, we need to address them independently of containers. In the new API, we need to be able to fetch them by their ID, regardless of what container they are associated with. Unfortunately, our existing exec sessions are tied to individual containers; there's no way to tell what container a session belongs to and retrieve it without getting every exec session for every container. This adds a pointer to the container an exec session is associated with to the database. The sessions themselves are still stored in the container. Exec-related APIs have been restructured to work with the new database representation. The originally monolithic API has been split into a number of smaller calls to allow more fine-grained control of lifecycle. Support for legacy exec sessions has been retained, but in a deprecated fashion; we should remove this in a few releases. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Populate ExecSession with all required fieldsMatthew Heon2020-03-18
| | | | | | | | | | | | | | | | | | As part of the rework of exec sessions, we want to split Create and Start - and, as a result, we need to keep everything needed to start exec sessions in the struct, not just the bare minimum for tracking running ones. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #5445 from sujil02/podFilter-newOpenShift Merge Robot2020-03-19
|\ \ | | | | | | Filter pods through pod list api
| * | Filter pods through pod list apiSujil022020-03-17
| | | | | | | | | | | | | | | | | | | | | Refactored current filter pods flow through the shared pod functions so filter pod functionalities can be shared between api and cmd. Signed-off-by: Sujil02 <sushah@redhat.com>
* | | Merge pull request #5480 from vrothberg/auto-updatesOpenShift Merge Robot2020-03-18
|\ \ \ | |_|/ |/| | auto update containers in systemd units
| * | auto updatesValentin Rothberg2020-03-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support to auto-update containers running in systemd units as generated with `podman generate systemd --new`. `podman auto-update` looks up containers with a specified "io.containers.autoupdate" label (i.e., the auto-update policy). If the label is present and set to "image", Podman reaches out to the corresponding registry to check if the image has been updated. We consider an image to be updated if the digest in the local storage is different than the one of the remote image. If an image must be updated, Podman pulls it down and restarts the container. Note that the restarting sequence relies on systemd. At container-creation time, Podman looks up the "PODMAN_SYSTEMD_UNIT" environment variables and stores it verbatim in the container's label. This variable is now set by all systemd units generated by `podman-generate-systemd` and is set to `%n` (i.e., the name of systemd unit starting the container). This data is then being used in the auto-update sequence to instruct systemd (via DBUS) to restart the unit and hence to restart the container. Note that this implementation of auto-updates relies on systemd and requires a fully-qualified image reference to be used to create the container. This enforcement is necessary to know which image to actually check and pull. If we used an image ID, we would not know which image to check/pull anymore. Fixes: #3575 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | pkg/systemd: add dbus supportValentin Rothberg2020-03-17
| | | | | | | | | | | | | | | | | | | | | Move the dbus-connection code from libpod's healthcheck to pkg/systemd to allow for sharing the logic. Needed for the auto-updates work. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #5536 from giuseppe/avoid-conmon-zombieOpenShift Merge Robot2020-03-18
|\ \ \ | |_|/ |/| | podman: avoid conmon zombie on exec
| * | podman: avoid conmon zombie on execGiuseppe Scrivano2020-03-18
| |/ | | | | | | | | | | | | conmon forks itself, so make sure we reap the first process and not leave a zombie process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #5449 from baude/manifestsOpenShift Merge Robot2020-03-17
|\ \ | | | | | | apiv2 addition of manifests
| * | apiv2 addition of manifestsBrent Baude2020-03-16
| | | | | | | | | | | | | | | | | | | | | | | | add endpoints for create, add, remove, inspect, and push. this allows manifests to be managed through the restful interfaces. also added go-bindings and tests Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | config: make warning clearerGiuseppe Scrivano2020-03-17
| |/ |/| | | | | | | | | | | | | | | make clearer that the warning could also happen because the logger is set to use systemd. Closes: https://github.com/containers/libpod/issues/5443 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #5252 from QiWang19/not-reset-tempdirOpenShift Merge Robot2020-03-16
|\ \ | |/ |/| Fix bug podman reset to not remove $XDG_RUNTIME_DIR
| * Fix bug podman reset to not remove $XDG_RUNTIME_DIRQi Wang2020-03-05
| | | | | | | | | | | | In some older systems we point the temporary directory to /run/user/1000 which leads podman system reset to clear unrelated files under XDG_RUNTIME_DIR. This patch only removes files created by podman if TmpDir is the same as the XDG_RUNTIME_DIR. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #5469 from giuseppe/no-size-create-containerOpenShift Merge Robot2020-03-12
|\ \ | | | | | | create: do not calculate image size
| * | create: do not calculate image sizeGiuseppe Scrivano2020-03-12
| | | | | | | | | | | | | | | | | | | | | calculating the image size can be an expensive operation. Avoid doing it when creating a new container since the size is not needed. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Follow up changes from #5244Abhijeet Kasurde2020-03-12
| | | | | | | | | | | | | | | | | | | | | | | | Code review change suggested by jwhonce in https://github.com/containers/libpod/pull/5244#pullrequestreview-366574431 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* | | update systemd & dbus dependenciesValentin Rothberg2020-03-10
| | | | | | | | | | | | | | | | | | | | | | | | Update the outdated systemd and dbus dependencies which are now provided as go modules. This will further tighten our dependencies and releases and pave the way for the upcoming auto-update feature. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #5307 from QiWang19/security-opt-genkubeOpenShift Merge Robot2020-03-09
|\ \ \ | | | | | | | | fix security-opt generate kube
| * | | fix security-opt generate kubeQi Wang2020-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | fix #4950 add selinux options from --security-opt of the container to generate kube result Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Revert "exec: get the exit code from sync pipe instead of file"Matthew Heon2020-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 4b72f9e4013411208751df2a92ab9f322d4da5b2. Continues what began with revert of d3d97a25e8c87cf741b2e24ac01ef84962137106 in previous commit. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Revert "Exec: use ErrorConmonRead"Matthew Heon2020-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit d3d97a25e8c87cf741b2e24ac01ef84962137106. This does not resolve the issues we expected it would, and has some unexpected side effects with the upcoming exec rework. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Revert "exec: fix error code when conmon fails"Matthew Heon2020-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 4632b81c81a73025a960e339f40bc805f8a6c70a. We are reverting #5373 as well, which lays the foundation for this commit, so it has to go as well. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #5412 from rhatdan/tmpdirOpenShift Merge Robot2020-03-08
|\ \ \ \ | | | | | | | | | | Allow users to set TMPDIR environment
| * | | | Allow users to set TMPDIR environmentDaniel J Walsh2020-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some users have small /var/tmp directories and need to be able to specify a different location for temporary files, which includes more space. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Fix spelling mistakes in code found by codespellDaniel J Walsh2020-03-07
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | add default network for apiv2 createBrent Baude2020-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | during container creation, if no network is provided, we need to add a default value so the container can be later started. use apiv2 container creation for RunTopContainer instead of an exec to the system podman. RunTopContainer now also returns the container id and an error. added a libpod commit endpoint. also, changed the use of the connections and bindings slightly to make it more convenient to write tests. Fixes: 5366 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | | vendor: update github.com/containernetworking/cni to ↵Dan Williams2020-03-06
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | v0.7.2-0.20200304161608-4fae32b84921 Specifically to get: https://github.com/containernetworking/cni/pull/735 6f29b0165883b2b52ccd4dcb937162ea4c86927b intercept netplugin std err But also pulls in some interface name validation and a compatibility fix for configurations that don't set a CNI version. Signed-off-by: Dan Williams <dcbw@redhat.com>
* | / / golangci: enable goimportsValentin Rothberg2020-03-05
| |/ / |/| | | | | | | | | | | | | | Enable the goimports linter and fix reports. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | exec: fix error code when conmon failsPeter Hunt2020-03-04
| | | | | | | | | | | | | | | | | | this is a cosmetic change that makes sure podman returns a sane error code when conmon dies underneath it Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Exec: use ErrorConmonReadPeter Hunt2020-03-03
| | | | | | | | | | | | | | | | | | | | | | | | Before, we were using -1 as a bogus value in podman to signify something went wrong when reading from a conmon pipe. However, conmon uses negative values to indicate the runtime failed, and return the runtime's exit code. instead, we should use a bogus value that is actually bogus. Define that value in the define package as MinInt32 (-1<< 31 - 1), which is outside of the range of possible pids (-1 << 31) Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | exec: get the exit code from sync pipe instead of filePeter Hunt2020-03-03
| |/ |/| | | | | | | | | | | | | Before, we were getting the exit code from the file, in which we waited an arbitrary amount of time (5 seconds) for the file, and segfaulted if we didn't find it. instead, we should be a bit more certain conmon has sent the exit code. Luckily, it sends the exit code along the sync pipe fd, so we can read it from there Adapt the ExecContainer interface to pass along a channel to get the pid and exit code from conmon, to be able to read both from the pipe Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #5206 from rhatdan/capabilitiesOpenShift Merge Robot2020-03-03
|\ \ | | | | | | Allow devs to set labels in container images for default capabilities.
| * | Allow devs to set labels in container images for default capabilities.Daniel J Walsh2020-03-02
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows users to specify the list of capabilities required to run their container image. Setting a image/container label "io.containers.capabilities=setuid,setgid" tells podman that the contained image should work fine with just these two capabilties, instead of running with the default capabilities, podman will launch the container with just these capabilties. If the user or image specified capabilities that are not in the default set, the container will print an error message and will continue to run with the default capabilities. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #5363 from mheon/add_ctr_validateOpenShift Merge Robot2020-03-02
|\ \ | |/ |/| Add validate() for containers
| * Add validate() for containersMatthew Heon2020-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Until now, we've been validating every part of container configuration through the With... functions that set the options. This if fine when we are just validating the options to an individual function, but things get complicated once we need to validate conflicts between different options. We don't know the order in which things were passed, so we need the validation on both of the potential options that can conflict, resulting in significant code duplication. To solve this, add a validate() function for containers, and use this to check whether everything is in a good state. We can probably move more into this function (there are other parts of container creation that also do validation of a sort) but this is a good start to simplifying our options. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #5347 from baude/apiv2waitOpenShift Merge Robot2020-03-02
|\ \ | | | | | | rework apiv2 wait endpoint|binding
| * | rework apiv2 wait endpoint|bindingBrent Baude2020-02-28
| | | | | | | | | | | | | | | | | | | | | | | | added the ability to wait on a condition (stopped, running, paused...) for a container. if a condition is not provided, wait will default to the stopped condition which uses the original wait code paths. if the condition is stopped, the container exit code will be returned. also, correct a mux issue we discovered. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #5320 from sujil02/podtestOpenShift Merge Robot2020-03-02
|\ \ \ | |_|/ |/| | Add test to validate prune pod apiv2 binding.
| * | Update pod bindings and Add test to validate prune pod apiv2 binding.Sujil022020-02-28
| | | | | | | | | | | | | | | | | | | | | | | | Modify the pod inspect bindings to hold current pod status. Includes test to validate on pod status and added test to check no or few pods are pruned,if the pods are in exited state. Signed-off-by: Sujil02 <sushah@redhat.com>